Table of Contents
Highlights
- India’s new Data Protection Law enforces strict consent, user rights, and accountability for tech companies.
- Firms must comply with rules on data localisation, cross-border transfers, and significant fiduciary obligations.
- The law empowers users with access, correction, and deletion rights while imposing steep penalties for violations.
In August 2023, India passed the Digital Personal Data Protection Act (DPDP), 2023, after years of deliberation and multiple draft versions. Widely seen as a watershed moment in India’s digital policy evolution, the law was introduced with the dual objectives of protecting individual privacy and creating a robust framework for the governance of digital personal data. In an era of data-driven economies, India’s law puts the nation on par with international frameworks like the EU’s General Data Protection Regulation (GDPR), while also incorporating India-specific elements reflecting its regulatory priorities and socio-political realities.
The implications for tech companies, both Indian startups and global tech giants, are substantial. From compliance obligations and technical infrastructure changes to potential fines and opportunities to build digital trust, this legislation reshapes the operating landscape for digital services in India
The Road to the DPDR Act: A Brief Background
The journey to India’s data protection law was long and contested. It began with the landmark 2017 Supreme Court judgment in the Puttaswamy case, which recognised privacy as a fundamental right under the Indian Constitution. This ruling triggered the process of drafting a comprehensive data protection bill. After multiple versions, public consultations, and pushback from civil society and industry, the DPDP Act was finally passed by Parliament in August 2023.
While the law was officially enacted that month, its enforcement mechanism and accompanying rules were delayed until 2025. Only in early 2025 were draft rules issued for public consultation, setting the stage for full implementation later that year.
What the Law Covers and Who It Affects
The DPDP Act applies to the processing of digital personal data, whether collected online or digitised after being collected offline. This distinction is important, as purely offline data handling remains outside the law’s scope. More crucially, the law applies not only to companies based in India but also to foreign entities that offer goods and services to Indian users or monitor their online behavior.
Companies that determine the ‘purpose and means’ of processing data are called data fiduciaries. Those handling sensitive personal data at scale, affecting national interest or systemic operations, may be classified as Significant Data Fiduciaries (SDFs). These SDFs face additional compliance requirements, including the appointment of a data protection officer and routine audits.
This wide ambit means that nearly every tech company with a user base in India, ranging from small app developers to multinational corporations like Google, Meta, and Amazon, is likely to be affected by the law.
Consent and User Rights: Shifting Power to the Individual
At the heart of the DPDP Act lies the principle of informed consent. Companies are required to obtain clear, affirmative consent from users before collecting or processing their personal data. The law introduces a unique Indian innovation, the Consent Manager, an independent entity that facilitates, tracks, and manages user consent across platforms in a standardized way. These Consent Managers aim to empower users by making it easier to revoke or grant consent without having to interact with each company separately.
In addition to consent, users (referred to as Data Principals) have a set of rights under the Act. They can request access to their personal data, seek corrections, and even demand the erasure of data no longer necessary. They are also entitled to grievance redressal mechanisms and can nominate someone to exercise their data rights on their behalf in the event of death or incapacity.
For tech companies, these rights create obligations to develop user-friendly data access mechanisms, incorporate data deletion processes, and establish prompt redressal systems. These systems must not only function efficiently but also be demonstrably compliant with the timelines and processes outlined in the law.
Localisation and Cross-Border Data Transfers
One of the most debated aspects of data protection legislation in India has been the question of data localisation. In its final form, the DPDP Act adopts a negative list approach, allowing cross-border transfers of data unless a country is specifically blacklisted by the Indian government. This is more relaxed than earlier proposals that mandated local storage of all personal data.
However, the draft rules released in 2025 hint at a gradual re-introduction of sector-specific localisation requirements. Certain types of data, like health, finance, and government-related information, may still be subject to localisation mandates in the future.
For tech companies operating globally, this means building data infrastructure that is flexible and region-aware. Server location decisions, contractual arrangements with cloud service providers, and data flow monitoring systems must now account for India’s evolving localisation preferences.
Compliance Mechanisms and Enforcement Powers
To enforce the law, the government has established the Data Protection Board of India (DPBI). The DPBI will act as the adjudicating authority for complaints, data breach notifications, and disputes. It has the power to investigate violations, impose penalties, and in extreme cases, recommend blocking access to repeat-offending platforms in India.
The financial penalties outlined in the Act are significant. Fines can go up to Rs 250 crore per violation for data breaches or for failing to implement reasonable security safeguards. Mishandling of children’s data can result in fines of up to Rs 200 crore, while cumulative fines across multiple infractions can go even higher.
These enforcement provisions reflect the seriousness with which the Indian government views data protection. For companies, this is not a law to be ignored or delayed; it demands proactive compliance and risk management from the outset.
Special Considerations: Children’s Data and Government Exemptions
The DPDP Act has specific provisions for the protection of children’s data, prohibiting tracking, targeted advertising, or behavioral profiling of minors. Consent from a parent or legal guardian is mandatory for processing the personal data of anyone under 18. Companies must also implement mechanisms to verify age and obtain genuine parental consent, an especially challenging task in a country with digital literacy and documentation gaps.
Conversely, the Act grants broad exemptions to government entities. For reasons such as national security, public order, or crime prevention, government departments may be exempted from certain provisions of the law. This has led to criticism from privacy advocates, who argue that unchecked government surveillance powers could erode the very privacy the law claims to protect.
Industry Response: Adaptation, Hesitation, and Opportunity
The tech industry’s response to the DPDP Act has been mixed. Large corporations with existing GDPR compliance frameworks may find it easier to adapt, though localisation and Consent Manager integration could still require significant reengineering. Indian startups and small-to-medium enterprises (SMEs), however, face steeper challenges. For them, compliance may involve costly legal consultations, new tech stacks, and operational overhauls.
Some companies have voiced concerns about ambiguous language in the law and the possibility of overreach by enforcement bodies. Others see the Act as a business opportunity, a chance to build trust with users by positioning themselves as privacy-forward platforms.
Still, many are waiting for the final implementing rules to make detailed compliance decisions. Until those rules are finalised, a degree of uncertainty lingers, but most stakeholders agree that data privacy is now a critical part of doing business in India.
Conclusion
The DPDP Act is not just a piece of legislation, but it is a statement about the future of India’s digital society. It reflects a global shift toward recognising data privacy as a fundamental right and holds tech companies accountable for the massive volumes of personal information they collect and process.
For India, the law signals maturity in its approach to data governance. It balances individual rights with innovation, though its execution will determine its success. If implemented with transparency, efficiency, and fairness, the DPDP Act could become a model for data regulation in the developing world.
For companies, the message is clear: data protection is not a choice, but a business imperative. Navigating this new era will require agility, investment, and above all, a renewed commitment to user trust.
